Active Directory and BitLocker – Part 3: Group Policy settings

• Author
• Recent Posts

Kyle Beckman

Kyle Beckman works as a systems administrator in Atlanta, GA supporting Office 365 in higher education. He has 17+ years of systems administration experience.

Latest posts by Kyle Beckman (see all)

• Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
• Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
• Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016

The last thing you’ll need to do before encrypting your next drive is to configure Group Policy. I copied the essential Microsoft’s Best Practices settings and added my own experiences at the end of the article. In a new or existing Group Policy Object, navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, and set the following:

Top Level / Global

• Choose drive encryption method and cipher strength – Set to not configured.
• Prevent memory overwrite on restart – Set to not configured.
• Provide the unique identifiers for your organization - Set to enabled, and enter an identifier in the BitLocker identification field.

Operating system drives

• Choose how BitLocker-protected operating system drives can be recovered - Set to enabled, save BitLocker recovery information to Active Directory Domain Services (AD DS) for operating system drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for operating system drives, and omit recovery options from the BitLocker setup wizard.
• Configure minimum PIN length for startup - Set to enabled, and require a personal identification number (PIN) of at least seven numerals.
• Require additional authentication at startup - Set to enabled, and require the use of a startup PIN with a Trusted Platform Module (TPM).

Fixed data drives

• Choose how BitLocker-protected fixed drives can be recovered - Set to enabled, save BitLocker recovery information to AD DS for fixed data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.
• Configure use of passwords for fixed data drives - If your organization does not have a public key infrastructure (PKI), set to enabled, require password complexity, and set a minimum password length of at least 12 characters.
• Configure use of smart cards on fixed data drives - If your organization has a PKI, set to enabled, and require the use of smart cards with fixed data drives.

Removable data drives

• Choose how BitLocker-protected removable drives can be recovered - Set to enabled, save BitLocker recovery information to AD DS for removable data drives, store recovery passwords and key packages, do not enable BitLocker until recovery information is stored to AD DS for fixed data drives, and omit recovery options from the BitLocker setup wizard.
• Configure use of passwords for removable data drives - Set to enabled, set a >minimum password length of at least 12 characters, and require password complexity if your organization does not have a PKI or if there is a need to access BitLocker-protected drives from computers running Windows XP or Windows Vista.
• Configure use of smart cards on removable data drives - Set to enabled, and require the use of smart cards with removable data drives if your organization has a PKI.
• Control use of BitLocker on removable drives - Set to enabled, and allow users to apply BitLocker protection on removable drives.
• Deny write access to removable data drives not protected by BitLocker - Set to enabled, and disallow write access to devices configured in another organization. NOTE: This policy cannot be enabled if your organization uses recovery keys or startup keys. Recovery keys and startup keys must be stored on unencrypted USB drives.

There are a few things you’ll need to note when configuring these settings in Group Policy for your Active Directory. First off, notice the underlined PIN/password lengths above. These are the Best Practice recommendations from Microsoft, not necessarily the best settings for your organization. It may take you some testing or trial and error to find what works best for your organization’s security requirements and what will work best for your user base. That said, my experience has been that these settings are very reasonable and work well for the average end user. You’ll want to pay close attention to minimum PIN length for operating system drives; it doesn’t make much sense to encrypt the OS and then set a short PIN that can easily be guessed.

Second, make sure you get the “Require additional authentication at startup” setting correct under “Operating system drives.” Make sure that “Allow BitLocker without a compatible TPM” is unchecked and that you’re not requiring more than one startup option. This is how it should look:

Correct Settings for OS Drive Startup

Do you want to back up the TPM owner information? If so, you’ll need to go to Computer Configuration, Policies, Administrative Templates, System, Trusted Platform Module Services, and set “Turn on TPM backup to Active Directory Domain Services” to Enabled. Make sure the “Require TPM backup to AD DS” is checked.

Backup TPM Owner Info

What are the typical power settings on your laptops? If you want to make your BitLocker-encrypted devices as secure as possible, you’ll need to disable Sleep mode. If a BitLocker-encrypted device is allowed to enter Sleep mode, an attacker would have console access to the machine to attack it bypassing the BitLocker PIN entry screen. Go to Computer Configuration, Administrative Templates, System, Power Management, Sleep Settings.

• Sleep Settings
  • Allow Standby States (S1-S3) When Sleeping (Plugged In) – Disabled
  • Allow Standby States (S1-S3) When Sleeping (On Battery) - Disabled

Disable Standby States